NYDFS Cybersecurity Regulations

What is 23 NYCRR 500?

Text

The New York Department of Financial Services (NYDFS) began the enforcement of a new set of cybersecurity regulations for the banking, insurance, and financial sectors operating within the state of New York. The regulations were designed to encourage the development of durable processes and procedures necessary to protect customer data and underlying information technology systems. 23 NYCRR 500 went into effect on March 1, 2017 and specifically applies to "covered entities," those defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” For those organizations attempting to verify their supervision under 23 NYCRR 500, NYDFS has provided a search form and the key dates associated with each milestone. Numerous cybersecurity regulations are intended, and ultimately designed, to achieve the same result – effective security throughout the data life cycle.

Section 500.03 of 23 NYCRR 500 calls for the covered entity (typically the CISO) to create and maintain a Cybersecurity Policy with associated procedures “for the protection of its Information Systems and Nonpublic Information stored on those Information Systems.” Specifically, Section 500.03 (b) calls for "data governance and classification" to be included on those policy areas approved by a Senior Officer or the Covered Entity’s board of director s (or an appropriate committee thereof) or equivalent governing body.

The key tasks organizations must complete to comply with 23 NYCRR 500 include:

  • Appointment a CISO (if one isn’t already in place)
  • Perform risk assessments (which must be kept up to date on an ongoing basis)
  • Document all organizational policies and procedures
  • Perform penetration testing and vulnerability assessments
  • Train all staff on a regular basis
  • Monitor your assets and create audit trails
  • Limit user privilege
  • Securely destroy unnecessary data 

Key Components Necessary To Achieve And Maintain 23 NYCRR 500 Compliancy

Creation and ongoing management of a cybersecurity Program 

Creation of a cybersecurity Policy 

Designation of a Chief Information Security Officer (CISO) 

Penetration testing and vulnerability assessments 

Audit trail – Maintain audit trail designed to reconstruct material financial transaction 

Implement and monitor "Least Privilege" for access to nonpublic information 

Establish a written Incident Response Plan (IRP) 

Evaluation of third-party service providers and their security policies 

Perform penetration testing and vulnerability risk assessments 

NYDFS Breach Notification (72 hrs.) 

Annual compliance certification signed by the Chairperson of the BOD or Senior Officer(s) 

How Fortra’s Digital Guardian can help you comply with 23 NYCRR 500

Fortra's Digital Guardian helps organizations comply with 23 NYCRR 500 by providing comprehensive data protection and security measures that address key requirements of the regulation. Here's how Digital Guardian supports compliance: 

Monitoring and Logging

Digital Guardian continuously monitors data access and usage, generating detailed logs that track all interactions with sensitive information. These logs are essential for detecting potential security incidents, auditing access, and demonstrating compliance with the regulation.

See Digital Guardian in Action

GET A DEMO